CVE-2025-37164 Hewlett Packard Enterprise (HPE) CVE debrief

Who should care

HPE OneView administrators, infrastructure and virtualization teams, security operations, vulnerability management, and any organization that depends on OneView for management of HPE environments.

Technical summary

The supplied corpus identifies the issue as a code injection vulnerability in HPE OneView and confirms it was added to CISA’s KEV catalog on 2026-01-07. The corpus does not provide affected versions, attack prerequisites, or a CVSS score, so the safest interpretation is limited to the vendor product, vulnerability class, and known-exploited status. CISA’s listed response is to apply vendor mitigations, follow BOD 22-01 guidance for cloud services where applicable, or discontinue use if mitigations are unavailable.

Defensive priority

High

Recommended defensive actions

• Review the HPE support bulletin referenced in the CISA KEV entry and apply all vendor-provided mitigations or updates immediately.
• Inventory all HPE OneView deployments, including any cloud-hosted or externally accessible instances.
• Prioritize this CVE ahead of non-KEV issues because CISA has listed it as known exploited.
• If a secure mitigation path is not available, plan to discontinue use of the affected product in line with CISA guidance.
• Validate compensating controls and monitor for any unusual activity around OneView management interfaces and administrative workflows.

Evidence notes

The evidence in the supplied corpus comes from CISA’s Known Exploited Vulnerabilities source item and its metadata, which identify the product as HPE OneView, the vulnerability as a code injection issue, and the date added as 2026-01-07 with a due date of 2026-01-28. Official reference links were also provided for the CVE record, NVD entry, and CISA KEV catalog. The corpus does not include version ranges, exploit details, or a CVSS score.

Official resources